decipher the passwords of your user account with John the Ripper
I wanted to try out the password cracker "John the Ripper" (1).
- I had to set up the config file first correctly (the fast step for a newbie without reading too much is to grab the one from github (see below) and comment out 3 sections) (2)
- the result was stunning: John was so fast to crack this! This should be shown to users who set easy passwords!
I. get the password files (as root, or (3)):
umask 077 unshadow /etc/passwd /etc/shadow > mypasswd
II. I had to create the config file first:
fopen: /usr/share/john/john.conf: No such file or directory
III. then I tried:
john mypasswd Loaded 1 password hash (descrypt, traditional crypt(3) [DES 32/32]) No "single crack" mode rules found in /usr/share/john/john.conf
then I read into the options of the config file, and added:
Wordlist = /home/tux/Downloads/all
but still no success. Still same message!
V. So I googled for an existing config file
and tried this one:
I had to remove 3 sections where it complained later at running:
#Error in /usr/share/john/john.conf at line 432
and then it worked :-)
and boy was that fast (the test password was: 1234567)!
john mypasswd john --show mypasswd root:**1234567**:0:0:Root Administrator:/root:/bin/sh tux:NO PASSWORD:1000:100:SliTaz User:/home/tux:/bin/sh 2 password hashes cracked, 0 left
(1) After cooking a @SliTaz package you also have to test it.
So, here is how the test went,
and I can use this for my future package builds to use.
(2) Later I saw that github repo is from 2013,
so better find another repo first.
But that is what DuckDuckGo gave me on the 1st page
(3) or your local state agency utilizes flaws in specific software packages of your OS ;-)